Splunk Search

regex is working in cisco asa add-on but get error if the same regex is used in UI with regex command

net1993
Path Finder

Hello

I have the following regex from cisco asa add-on default transforms.conf:


[cisco_source_ipv4]
REGEX = \s+(?:from|for|src(?! user)) (?:(\S+):)[\w-]*?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})(?:\/(\w+))?(?:\((?:([\S^\\]+)\\)?([\w\-_]+)\))?\s*\(?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})?\/?(\d+)?\)?\s*(?:\((?:([\S^\\]+)\\)?([\w\-_]+)\))?
FORMAT = src_zone::$1 src_ip::$2 src_port::$3 src_nt_domain::$4 src_user::$5 src_translated_ip::$6 src_translated_port::$7 src_nt_domain::$8 src_user::$9

 

The issue is that If I try to run the regex from UI, I get error :
Error in 'SearchOperator:regex': The regex '\s+(?:from|for|src(?! user)) (?:(\S+):)[\w-]*?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})(?:\/(\w+))?(?:\((?:([\S^\]+)\)?([\w\-_]+)\))?\s*\(?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})?\/?(\d+)?\)?\s*(?:\((?:([\S^\]+)\)?([\w\-_]+)\))?' is invalid. Regex: missing closing parenthesis.


The add-on is working fine as well as search time field extraction so obviously the regex is working fine from transforms.conf but not in UI using regex command.

Someone can help?

Labels (1)
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

According to regex101.com, there are two incomplete capture groups. Adding a couple of parentheses solves this but I am not sure if they are in the right place for what you are trying to extract

| regex "\s+(?:from|for|src(?! user)) (?:(\S+):)[\w-]*?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})(?:\/(\w+))?(?:\((?:([\S^\]+)\)?([\w\-_]+)\))?)\s*\(?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})?\/?(\d+)?\)?\s*(?:\((?:([\S^\]+)\)?([\w\-_]+)\))?)"

0 Karma

net1993
Path Finder

Which regex do you see errors for ? The first one or the one I have paste from the error? Because I noticed now that this one from the error is slightly different from the original and if I paste it in regex101 , then yes, there is error but as far as I see there is no error in the original regex if pasted in regex101, isn't that correct?

Its strange why splunk has changes on the regex by itself , I guess this is where the error is coming from . Maybe these escaping char makes some bad things ?

0 Karma
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...